Triathlon of Lightweight Block Ciphers for the Internet of Things

Transcription

1 NIST Lightweight Cryptography Workshop 2015 Triathlon of Lightweight Block Ciphers for the Internet of Things Daniel Dinu, Yann Le Corre, Dmitry Khovratovich, Leo Perrin, Johann Großschädl, Alex Biryukov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg

2 Outline Lightweight Crypto for the IoT Benchmarking of Lightweight Ciphers Two application scenarios Implementation aspects Results Execution time, RAM footprint, code size 8-bit AVR, 16-bit MSP430, 32-bit ARM CortexM Figure of Merit (FOM) Conclusions 2 / 16

3 What are Things? Vehicle, asset, person & pet controlling and monitoring Agriculture automation Energy consumption Security & surveillance Building management Embedded mobile M2M & wireless sensor network Source: nkonnect.com Everyday things Smart homes Telemedicine & healthcare Processors embedded into everyday objects ( things ) Wireless communication (WiFi, Bluetooth, ZigBee) 3 / 16

4 IoT Forecast by Cisco Source: Cisco 4 / 16

5 Lightweight Cryptography Not meant to be Weak Cryptography Cryptographic primitives, schemes and protocols tailored to extremely constrained environments such as sensor nodes or RFID tags (Gligor 2005) Requirements for IoT Efficient in HW (performance, area, power) Efficient in SW (performance, RAM, code size) on many 8, 16, and 32-bit platforms Efficient protection against physical attacks Support of different functionality (encryption, hashing) 5 / 16

6 Benchmarking of Lightweight Ciphers Fair and consistent evaluation How well are existing LW suited for the IoT? What are the promising directions for new designs? 3 Core Metrics Execution time, RAM footprint, code size Other metrics can be derived or estimated thereof (e.g. energy consumption) 3 Platforms 8-bit AVR, 16-bit MSP430, 32-bit ARM CortexM Further platforms may be supported in the future 6 / 16

7 13 Considered Ciphers 7 / 16

8 Application Scenarios Scenario 1: Bulk Encryption Example: data transfer between two sensor nodes 128 bytes of data, CBC mode, 80-bit key We measure encryption + decryption + key schedule Representative for performance matters Scenario 2: Challenge-Response Authen. Example: access control, device authentication 128 bits of data, CTR mode, 80-bit key We measure encryption time (round keys pre-comp.) Representative for code size and RAM matter 8 / 16

9 Implementations Several Implementations for each cipher Between 2 and 24 implementations for each cipher (more than 100 in total) Different trade-offs, at least one speed-oriented and one size-oriented implementation Written in ANSI C Portability is very important in the IoT (many HW platforms and operating systems), Useful to assess new ciphers in early stages of the design phase Assembly implementations for AES and PRESENT 9 / 16

10 AES LED RC5 Scenario 1: Execution Time AVR MSP ARM Execution time (cycles) HIGHT Fantomas LBlock Piccolo PRINCE PRESENT Robin Simon Speck TWINE 10 / 16

11 AES LED RC5 Scenario 1: RAM footprint AVR MSP ARM RAM (bytes) Fantomas HIGHT LBlock Piccolo PRESENT PRINCE Robin Simon Speck TWINE 11 / 16

12 AES LED RC5 Scenario 1: Code Size AVR MSP ARM Code size (bytes) HIGHT Fantomas LBlock Piccolo PRESENT PRINCE Robin Simon Speck TWINE 12 / 16

13 AES LED RC5 Scenario 2: Execution Time AVR MSP ARM Execution time (cycles) HIGHT Fantomas LBlock Piccolo PRINCE PRESENT Robin Simon Speck TWINE 13 / 16

14 AES LED RC5 Scenarion 2: RAM Footprint 400 AVR MSP ARM RAM (bytes) Fantomas HIGHT LBlock Piccolo PRESENT PRINCE Robin Simon Speck TWINE 14 / 16

15 AES LED RC5 Scenario 2: Code Size AVR MSP ARM Code size (bytes) HIGHT Fantomas LBlock Piccolo PRESENT PRINCE Robin Simon Speck TWINE 15 / 16

16 Figure of Merit (FOM) 16 / 16

17 AES RC5 LED Scenario 1: FOM Speck Simon Robin Fantomas LBlock HIGHT Piccolo PRESENT PRINCE TWINE 17 / 16

18 AES RC5 LED Scenario 2: FOM Speck Simon Fantomas Robin LBlock HIGHT Piccolo PRESENT TWINE PRINCE 18 / 16

19 Conclusions Simon Wins Big! Consistently fast and small on all three platforms Best FOM score in both scenarios Speck on 2 nd place Other advantages (small silicon area, SCA protection) Runner Up: LS Designs Also fairly good on all three platforms FOM score twice as high as Simon Interesting from SCA perspective More security analysis needed 19 / 16

20 Triathlon Competition Submit implementations (assembly/c) of existing lightweight block ciphers (published at well-known conferences) for the 3 target devices (AVR, MSP, ARM). Based on the implementation performance figures on the 3 target devices (AVR, MSP, ARM) in the 2 evaluation scenarios, you get a number of points. Collect as many points as possible to win the Triathlon The first 3 players/teams by the number of points will be rewarded with special prizes First deadline: September 6, 2015 (before CHES) More info: 20 / 16